HSBC Turkey revealed last week that 2.7 million customer card details had been compromised.

In a statement HSBC claimed to have detected the compromise itself via its own internal controls within a few days of it occurring. Trey Ford, global security strategist at Rapid7 comments, “This is impressive given that the vast majority of breaches are detected by third parties, and often not for months.”

In recent years most compromises are detected long after the event when researchers like Brian Krebs or one of the various intelligence agencies finds evidence of the theft in the underground chat rooms of the dark web. This early detection by the bank suggests that it has efficient internal data controls even though its ‘perimeter’ defenses couldn’t keep the hackers out. (This is neither surprising nor a criticism; and there is as yet no information on how the breach was effected, nor what controls detected the compromise.)

HSBC is stressing that the thieves have not stolen enough data to effect fraud on any of their customers. It has published a FAQ:

2. What type of information was compromised?
Information compromised consisted of card and linked account numbers, card expiry dates and card holder names of our customers. There is no evidence that any of our customers’ financial information or personal information was compromised.

3. Will you renew the cards?
Our cards are secure and customers can continue to use their cards as usual.

4. Can the stolen information be used to print cards and withdraw money from ATMs?
No. It is not possible to print cards and withdraw money from ATMs with the compromised
information. Our customers can continue to use their cards confidently.

Trey Ford, global security strategist at Rapid7

The stolen data on its own is simply not enough for criminals to use directly. The key piece of missing information is the CVV number (or security code). “We know this information isn’t enough data to execute much in the way of fraud,” says Ford; “they lack key pieces of information, and the logical places to get that information is back inside the bank (which is now on high alert), or contacting the cardholders by name, directly.”

But if the criminals have access to other stolen (or sometimes publicly available) data, they could potentially match the card holder names with email or even physical addresses. Knowledge of the card and account details would in those circumstances be sufficient for very convincing phishing attacks aimed at acquiring the CVV number.

“HSBC Turkey customers should be on the alert, looking out for any strange contact attempts via phone or email that may be criminals posing as the bank. Provide nothing to callers, do not click links in emails – contact the bank directly via the phone or their website,” warns Ford. Since HSBC has decided not to reissue the stolen cards, this could remain a potential threat for some time.